|
> from: "Adam Lang" <aalang@xxxxxxxxxxxxxxxxxxxx> > What on earth are you talking about? Who cares how > many firewalls are between the public internet and the > webserver? I'm talking about company controlled LAN segments separating an iSeries server from the Internet. Access to LAN segments is controlled through firewalls. I'm talking about connecting the iSeries to a LAN segment as opposed to connecting it directly to the Internet. > Your firewalls are routing the traffic for you. The main purpose of the firewall is to filter traffic. I brought it up because Chris Bipes described a home-grown Windows based service essentially filtering traffic to the AS/400. In general, would one rather have firewalls filtering traffic to the AS/400, or home-grown Windows applications? > So if you have 5 firewalls, it doesn't matter. Firewalls are used to define network zones. Several people have commented about the value of a DMZ, for example. The purpose and scope of firewalls may be an overly broad topic. But one firewall may filter DOS attacks, while another filters NETBIOS traffic, while another filters ports, depending on the purpose of firewall and the scope each LAN segment controlled by the firewall. > You still pass the person from outside to the webserver. Not to be pedantic, but a firewall may pass a "message" not a "person". I'm suggesting that an HTTP Server under OS/400 is generally more secure than an HTTP server under Windows, Linux, and Unix. I'm also suggesting that simpler single platform application interfaces are less vulnerable than complex multi platform ones. I hear of many shops opening an HTTP port to a Windows server, then opening the ODBC data ports from the Windows server to the iSeries. In contrast, opening just an iSeries HTTP services for selected applications is easier to secure than locking down ODBC services. For data access, the HTTP server passes a request to an application. Otherwise the HTTP server won't provide access to the database. My suggestion is that application level security be handled by iSeries applications for performance, simpler and easier to adminster interfaces, and because the base OS is more secure. I'm suggesting that dividing applications between two platforms is generally more vulnerable, more difficult to develop and administer, poorer performing, and unnecessary when the data resides on an iSeries. Nathan M. Andelin www.relational-data.com
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.